Contents

SELinux X-Windows Support

The SELinux X-Windows (XSELinux) implementation provides fine grained access control over the majority of the X-server objects (known as resources). The Reference Policy modules have also been updated to enforce policy using the XSELinux object manager (OM).

The object classes and permissions are listed in the [[ObjectClassesPerms | X Windows Object Classes] section.

Infrastructure Overview

It is important to note that the X-windows OM operates on the low level window objects of the X-server. A windows manager (such as Gnome or twm) would then sit above this, however they (the windows manager or even the lower level Xlib) would not be aware of the policy being enforced by SELinux. Therefore there can be situations where X-windows applications get bitter & twisted at the denial of a service. This can result in either opening the policy more than desired, just letting the application keep aborting, or modifying the application.

The Policy - The Reference Policy has been updated to support the XSELinux OM and F-12 is now operational from policy version selinux-policy-3.6.32-100.fc12 for targeted and mls versions (Note that in F-12 the OM is enabled for mls and disabled for targeted policies via the xserver-object-manager boolean).

x_contexts File - This contains context configuration information that is required by the OM for labeling certain objects. The OM reads its contents using the selabel_lookup function.

XSELinux Object Manager - This is an X-extension for the X-server process that mediates all access decisions between the the X-server (via the XACE interface) and the SELinux security server (via libselinux). The OM is initialised before any X-clients connect to the X-server.

The OM has added X-protocol extensions to allow contexts to be set and retrieved by userspace SELinux-aware applications. These are shown in Table 1 and used in the Experimenting with X-Windows section of volume 2.

XACE Interface - This is a standards based 'X Access Control Extension' (XACE) that can be used by other access control security extensions, not only SELinux. Note that if other security extensions are linked at the same time, then the X-function will only succeed if allowed by all the security extensions in the chain.

The interface is defined in the "X Access Control Extension Specification". This specification also defines the hooks available to OMs and how they should be used. The provision of polyinstantiation services for properties and selections is also discussed. The XACE interface is a similar service to the LSM that supports the kernel OMs.

X-server - This is the core X-windows server process that handles all request and responses to/from X-clients using the X-protocol. The XSELinux OM is intercepting these request/responses via XACE and enforcing policy decisions.

X-clients - These connect to the X-server are are typically windows managers such as Gnome, twm or KDE. The default for F-12 is the Gnome desktop manager.

This is used by SELinux-aware applications for setting the context on device data.

SELinuxGetDeviceCreateContext

2

None

Get the context set on the device data. This is for use by SELinux-aware applications.

SELinuxSetDeviceContext

3

DeviceID + Context+Len

This is used by SELinux-aware applications for setting the context on selected x_device object.

SELinuxGetDeviceContext

4

DeviceID

Get context of the selected x_device object.

SELinuxSetWindowCreateContext

5

Context+Len

This is used by SELinux-aware applications for setting the context on windows data.

SELinuxGetWindowCreateContext

6

None

Get the context set on the window data. This is for use by SELinux-aware applications.

SELinuxGetWindowContext

7

WindowID

Get the process context that this window is running under (x_drawable object ??)

SELinuxSetPropertyCreateContext

8

Context+Len

This is used by SELinux-aware applications for setting the context on property data.

SELinuxGetPropertyCreateContext

9

None

Get the context set on the property data. This is for use by SELinux-aware applications.

SELinuxSetPropertyUseContext

10

Context+Len

This is for use by SELinux-aware applications for setting the context on the property object itself.

SELinuxGetPropertyUseContext

11

None

Get the property object context. This is for use by SELinux-aware applications.

SELinuxGetPropertyContext

12

WindowID + AtomID

Get context of the x_property object.

SELinuxGetPropertyDataContext

13

WindowID + AtomID

Get the context of the property data. This could be the policy default or that set by the SELinuxSetPropertyCreateContext (9) function.

SELinuxListProperties

14

WindowID

List the contexts of properties associated with the selected WindowID.

Function Name

Minor Opcode

Parameters

Comments

SELinuxSetSelectionCreateContext

15

Context+Len

This is used by SELinux-aware applications for setting the context on selected data.

SELinuxGetSelectionCreateContext

16

None

Get the context set on the selected data. This is for use by SELinux-aware applications.

SELinuxSetSelectionUseContext

17

Context+Len

This is for use by SELinux-aware applications for setting the context on the selection object itself.

SELinuxGetSelectionUseContext

18

None

Get the selection object context. This is for use by SELinux-aware applications.

SELinuxGetSelectionContext

19

AtomID

Get context of the x_selection object.

SELinuxGetSelectionDataContext

20

AtomID

Get the context of the selected data. This could be the policy default or that set by the SELinuxSetSelectionCreateContext (15) function.

SELinuxListSelections

21

None

List the selection atoms for this display. The main difference in the listings is that when the PRIMARY selection atom is polyinstantiated, multiple entries can returned. One has the context of the atom itself, and one entry for each process (or x-client) that has an active polyinstantiated entry, for example:

Atom: PRIMARY - label defined in the x_contexts file (this is also for non-poly listing):

This function will return the process context any valid X resource ID is running under (or the x_client object ?).

Table 1: The XSELinux Functions - Supported by the object manager as X-protocol extensions. Note that some functions will return the default contexts, while others (2, 6, 9, 11, 16, 18) will not return a value unless one has been set the the appropriate function (1, 5, 8, 10, 15, 17) by an SELinux-aware application.

Polyinstantiation

The OM / XACE services support polyinstantiation of properties and selections as these form the InterClient Communication (ICC) that allows X-clients to communicate and exchange information. This allows properties and selections to be grouped into different membership areas so that one group does not know of the exsistance of the others. To implement polyinstantiation the poly_ keyword is required in the x_contexts file for the required selections and/or properties, there is then a corresponding type_member rule in the policy to enforce the separation.

The Experimenting with X-Windows section in volume 2 has examples of using polyinstantiation for selections and then comparing the results to non-polyinstantiated cases.

Note that the current Reference Policy (build 20091117) does not implement polyinstantiation, instead the MLS policy version uses the mlsconstrain statement to limit the scope of these.

Configuration Information

This section covers:

How to determine the OM X-extension opcode.

How to configure the OM in permissive mode.

How to disable the OM when using the Reference policy.

The x-contexts configuration file.

The OMs SELinuxGet/Set.. functions (shown in Table 1).

Determine OM X-extension Opcode

The object manager is treated as an X-server extension and its major opcode can be queried using Xlib XQueryExtension function as follows:

Configure OM in Permissive Mode

If the X-server object manager needs to be run in permissive mode the following entry can be added to the xorg.conf file (normally in /etc):

Section "Module"
SubSection "extmod"
Option "SELinux mode permissive"
EndSubSection
EndSection
<pre>
=== Disable the OM ===
The Reference Policy has a boolean that can be used to disable the x-server object manager if is not required by:
<pre>
setsebool -P xserver_object_manager false

The x_contexts File

The x_contexts file contains labels and initial context information that is required by the OM to initialise the service and then to label objects as they are created. The policy will also need to be aware of the context information being used as it will use this to enforce policy or transition to a new context. A typical entry is as follows:

The object_name entries can be any valid X-server resource name that is defined in the X-server source code and can typically be found in the protocol.txt and BuiltInAtoms source files (in the dix directory of the xorg-server source package), or user generated via the Xlib libraries (e.g. XInternAtom). Note that if an object_name has both poly and non-poly entries in the file, the non-poly entry takes precedence (i.e. the poly entry is ignored by the OM).

Note that for systems using the Reference Policy all X-clients connecting remotely will be allocated a security context from the x_contexts file of:
[1]Cite error: <ref> tags exist, but no <references/> tag was found